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Final Revision Sheet > Using Do.....while statement 
DEALING WITH THE WEBSITE DATA <?PHP 


$x= l; 
> Before creating search for term process we should shed DO 
A { 
thelight on: Echo ($x ."<Br>") 
e Thelooping concept. xe B+: 
e Somestatement of looping in php language 
We need in some programs to repeat a certain code many 


times or repeating it to a certain limit and this is what we will The loont 
use when writing PHP code statement 


> PHP language affords looping statement like While { } It is used to execute unknown or un limited number 
(For - While — do... While) of repetitions and these repetitions can be executed 
> Some examples onthe usage of looping statements only on one condition at first, testing the condition 
> Using while statement: and be sure the result is true. 
<2PHP 
$x = I; 


While ($x <= 
100) 


{ 

Echo ($x); Is used in executing an unlimited or unknown 

Echo ("<Br>"); 

$x ++; number of repetitions , and you start in executing a 


} 
2> repetitive circle once before testing the condition if 


While ($x < = 100); 
?> 


Oo 
. w 


Example; searching in data base and searching the 


internet. 


> Using For statement it is true. 


<IPHP Example { printing the primary value of the variable } 


‚For ($x = l; $x <= 100; $x ++) It is used to execute known or limited number of 


. Echo ($x); repetitions. It works the same way as while 


. Echo ("<Br>"); statement. 
-} 


; Example (printing the email address of the ministry 
website 10 times). 
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THE MOST IMPORTANT CODES 


<Table> </Table> Declaring Table 


<Tr> </Tr> (Declaring Row) 

<Td> </Td> (Declaring Columns) 

<? Php (The Start Of PHP Code) 
?> (End of PHP Code) 


Include (“Header.Php”) Including Header & Connection Pages 
Include (“Connection.Php”) With The current page. 


("SET NAMES 'UTF8"") 
symbol aoe a as 2??? 


(mysql_query ) result of the query in the variable 

Select * (searching for all the fields of the data table) 
While (looping statement) 

echo (print) 

5 (end of php statement) 


$num (number of records) 


<br> New line 


<a ></a> (creating a hyperlink) 


AN ENTRY IN SECURING WEBSITES 


> Securing websites is a necessity to stop penetration, 


which leads to many harms and negative results like: 
1. Stealing or losing important database that may lead to great 


problems in all fields. 

2. Getting foundational or personal information and what 
harms it may cause 

3. Showing unsuitable content that it might contains political, 
religious, ethical attitudes. 

4. Deforming the image of the foundation or the person who 
owns the website generally. 


THE PENETRATION CONCEPT 
It’s generally called website hacking by using the penetrator 
the hacker a way or a weak program that enables him to get 
the validity of controlling the website management or dealing 
with its database by any way (showing, deletion, editing and 
soon). 


THE WAYS OF PROTECTING THE WEBSITE 
1. Protecting server (website hosting )Protecting the website 
here isthe responsibility of the sever or website hosting 
where it makes / sets security options & controls. 
2. Protecting the website developers 
e Be sure of the inputs before saving it in the database. 
Encrypt password. 
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Managing the important website folders with strong 
passwords. 
e Specifying the user's validity correctly and clearly. 


SOME PRECAUTIONS TO KEEP SECURING THE 
WEBSITE 

1- Keep software upto date 
Be sure of the continual updating programs thatare in use. 
2- Dealing with error messages 
It’s necessary to know the possible errors & try to hide them. 
Because these errors make the website weak and easyto be 
penetrated. 
3- The certainty of the correct input data validation from the user 
website visitor. 
If this doesn’t happen, it paves the way to penetrating the 
website. This through inserting inputs causes penetration, so 
one of the main bases of protecting from penetration is to be 
sure of the user input data. 
For Example: 
The certainty of the field contains values that don’t exceed 
some or a number of letters orto be sure the field is notempty, 
that’s by the ( if ) clause inthe code of the used languages to be 
sure of the input data validity. 
We can do that ontwo levels: 
Firstly: using the server &by using php code 
Secondly: the client server & by using javascript code. 


IF ($term !== "" && $trans !== "" && $defe !== "" 
&&!empty(şfile) 


{ 


The code that is executed for the certainty that the 
previous variables are not empty. 


Thirdly: Passwords: 

Passwords should be complicated so it would be difficult to a 
penetrator to discover it, especially the server password and the 
site admin password and the database passwords. 

Note: 

For the private passwords of the websites users: we could force 
the userto insert passwords with special characteristics. 

For example, a number of letters not less than 8 letters. There 
are capital letters with numbers and special signs. 

passwords should be always kept encrypted by using one of the 
available encryption styles in php language like SHA function 
(salt password) or MD 5 function 

4-Avoid inserting SQL statement is usually known by SQL 
injection through dealing with sites: 

A penetrator mighttry inserting special parameter inside SQL 
Statement, this through the site data base input form to be done 
on the data base without informing the designer & the in charge 
of site to give other results. 
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For securing that we use SQL real —escape- string signto 
preventinserting SQL statement to the data base. 
5- Avoid writing XSS (Cross site scripting) code through the 
website. 
The penetrator may insert a code inthe web pages, So this may 
lead to negative effects and risks to both the user & the website 
owner. 
For example: 
If there is aform that allows the user to writeacommentthen 
show all comments successfully, the penetrator will use itto 
write javascript code. 
For example, when sending the commentto server, this code 
is stored in database, and when itis shown in HTML page the 
code is done this may redirect the user to another page and 
in ita harmful content or fishing page (it contains fake form to 
get important data from a user that visiting the site like 
passwords or a number of a visa card. We can avoid that by 
using suitable programming style like not allowing any script 
inthe comments fields. 
6- File Uploads: 
= | Allowing file uploads to your site may cause great risks. 
m Be sure of the file identity, if the file was an image we 
should be sure ofthe file identity. 
For Example 
file = $_FILES['uploadedfile"]; 


sallowedExtensions = array("jpg","jpeg","gif","png"); 
if 
(!in_array(end(explode('.',$file['name'])),$allowedExte 
nsions)) 


echo': cA yak: paul Cililall,,.1 sijpg, jpeg, gif, png’; 
exit(0); 


The Certainty of file size which is needed to upload: 

Tobe sure of the file size which is about to be uploaded onthe 
server through the page, it should be about 1MB we write the 
following code: 

IF ($file['size’]> 1024000) {echo (5 bo zS alos! ann : las 
lolo 


Note 


Function array 

It creates new array which contains a group of elements 
in_array (the element which meantto search inthe array, array 
elements) 

To be sure of the 1st parameter inside the elements of the array 


nd 
(2 parameter). 
Function in_array 
Function end 
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sale, 

LI 
TE 
Is considered one ofthe arrays and meantto get back the value |ls good for SQL injection andtesting XSS 
of the last elementinan array. OpenVas 

Function explode Netsparker 

explode('.’, $file[‘name’]) 

Its job is to transfer a variable to an array which contains several CREATING REGISTRATION PAGE 

elements & gets two parameters: 

1st: the ways of separation between the variable contents & it (REG.PHP) 

could be 1. Design the page by using expression web program. 

(space- dash- pholo stop) inthe example itis (.) Note: - 

2nd: itis the variable content whichis meanttoturnitintoatext, | Form is used for passing or sending all the data that exists in all 

anditis ($filename). the controls from the web to the webserver. 

7- Secure Socket Layer SSL: There are 2 ways for sending the form data: 

Itis a protocol to support secure dealing with web server and 1- <form method="GET"> 


web browser through a mediator that’s called certificate 2- <form method="POST'> 


authority CA and could betranslated by atranslation sector, this GET POST 


affords secure pages which uses protocol HTTPS instead of the EIC 

s ; : ane . = the data is /ittle. secret and secured 
HTTP especially for the websites which deals with financial a- data is not secret data has been sent. 
dealings or important data forms. because it appears (important data) 
8. Using applications and security websites tools on the address line of 
After finishing designing the website, we should test the web the internet screen. 
security by using codes & similar ways to what penetrators use a 


and sometimes it’s called (pen testing or penetration testing.) 


—> applications that testing website security against 2. Adjust the form characteristics, be sure of specifying the 
value of post forthe method as inthe following figure. 


penetrations some of them are free or open source 
one of the biggest open source applications that is used widely 
for testing web security. 
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<?php The code refers to including header.php to 
Tag Properties * _ CSS Properties EX | Include(“header.php”) registration page. 
am 


<?php It refers to including the page that is 
Include(“‘connection.php”) connected to the database. 
?> 


we use (if) statement to be sure of pressing 
a JEE: H(isset($_post{‘submit’)) | on submit button 


Vecsey | SCS” 
gameten || Wiert Poet | Username 


En (variable) 


$txt_pass=$ POST[‘txt_pass’]; Password 


<?php = (variable) 
session_start(); Note we should write this 
>= 


code in the beginning of 


the page before the code $txt_con=$ POST[‘txt_con’]; Confirming password 
(variable) 


<?php 
include("“header.php"); 
2 


Mysql_query(“SET NAMES’utf8’""); | Solve the problem of dealing with data on the 
browser screen in Arabic language correctly 

nie : : 

inctude( connection php"); without question marks. 


KORIS yST['Submit1 }) 


Set. user=S PC OST Tat ral 


$query=mysql_query(“insert into Used to add new data of a record to users 
a pls oto a tp ‘$txt_user’,’$txt_pass’)”);users table in the database. 


values(“, 

After studying the possible procedures and its datainreg.php 

page and its effect on the inputs in user table. It is clearthatthe 
shape of the form, it has no security rules and Precautions, 

<?php It refers to the ad about using session inside - . 

mien st ie toek of the pant. Because of the following reasons: 

2> 1. Thereisnocertainty of data validation like (accepting 

empty fields has no test for identical passwords......). 
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User name field in users table and this illogical, as there 
should not be more than one username with the same name. 


3. The password is clear without encryption. 


Fortreating these problems: we should do the following: 


click on structure in MYSQL page then lick to make 
the field unique (Unique field doesn’t accept 
repetition) 


User name field in 
users table and this 
illogical, as there 
should not be more 
than one username 


with the same name. 


Encryption of password. There are many methods for encrypting passwords 
one of them is using 
the query MDs. 


Function MDs (message -digest algorithm) 


There is no certainty of 


data validation like 


( > field 


has no test for identical 


passwords... ...). 


er = i) | eresi ear namen in he dte 


Gretel fetch arrr Seery 5 
J Dusem j= Snr | arene) 
terser Locaticr index pip” 
nt 
} 


DESIGNING PAGE -SIGN IN PHP/ 


SIGN OUT .PHP 


= Open expression web and design a page called signin.php 
= Insertform and insert onit controls 
= Firstly: Creating signing in php by using expression web 


2. Study the HTML code 


3. Add the following php code instead of the followin 
lace in the previous code screen: 


<html xmins="http://www .w3_org/1999/xhtml"> 
<head> 
<meta content="en-us" http-equiv="Content-Language"> 
<meta content="text/html; charset=utf-8" http-equiv="Content-Type" > 
<title>J A haiti Palins 


<head> ii p N 


s A PHP code that i 
<body di="ril"> 
<?php about Header page 

11 melude("header.php"); Š n = i 


3 <span lang="ar-eg">=<strong><span class="style2" >55 J aa dai </span> 
<br class="style2"> 


IDNA ewe 


<form name="admin" action="signin.php" method="post" 
enctype="multipart/form-data"> 

pried! al&nbsp:&nbsp;<input name="user" type="text"><br><br><br > 
39s! UK enbsp:&nbsp:&nbsp:<input name="pass" type="password” ><br> 
<br > 

<input name="submit1" type="submit" value=" J 42"> 
&nbsp:&nbsp:&nbsp;&ahsp: <a href"reg_php"> 43a addins </a> 
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PHP code 


$sql=“select* from users where 
username=‘$usern’ && 
password=‘$passw’”; 


$num=mysql_num_rows($quary); 


If($num==1) 


Through select statement we search in users table 
in the database about the users name which is 
iserted and put in variables $Usern and and also 
search for the password that has been entered 
and put in 

variable on one condition the name & password 
are there together and identical with the inputs. 


Mysql. Num -rows query is used to specify the 
number of registers which has been got and the 


number is stored in variable $ num. 


the last part of the signing in page variables num 
has been tested if its value equal 1 it means that 
there is only one user & his own password in users 
table. 

Note that: 
if the value of variable $num equal (o) this means 
there is no record in users table by the input user 
and password , then the page stays as 
it is. 


Secondly designing signing out php page by using expression 


web 


<?php 


session_start(); 
$ SESSION['username'] = ""; 
header("Location: index.php"); 


exit; 
I> 


THE WEBSITE SECURITY 


PRECAUTIONS 


After finishing designing all websites pages and so are signing in 
vind out of a user. We should secure the site by the following: 
Adding the code of the beginning of the session we are asked to 
do itfor the recorded user only as an entry .The aim is offering the 
ability to get the user’s name as it is an entry only. 


<?Php 
session_start() 
<?php > 
if (Q$ SESSION['username'] == "") 
echo (" <a href='signin.php'><span lang='ar-eg'>Jysu)! Jaw </span> </a>"); 
echo ("&nbsp;inbsp; énbsp; énbsp; nbsp; nbsp;&nbsp; "); 
echo "Juu pè pitiu"; 
$ SESSION['username'] = ""; 
} 
else 
| 
echo (" <a href='signout.php'>span lang='ar-eg'>ey jill Jau/spans</a>"); 
echo ("&nbsp; nbsp; énbsp; nbsp; nbsp; énbsp; tnbsp; "); 
echo(" Loy". * *, $ SESSION['username']) ; 
} 


» 
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Explaining the code It means: Session contains a value is the user name: then the 
The conditional F statement . sign out phrase becomes a hyperlink to sign out page that’s 
if(@$_SESSION['username ]=="") ; ; 
called sign out.php, and leaves many spaces and printa 
> Php language deals withthe sign @ as avariable. welcome message on the browser page “you're welcome ‘then 
> oneofthe phplanguage rules isto put the sign $ before leave many spaces, and write the user name that ‘s inserted in 


variable name. variable session bythe code: 


> $Sessionis variable inthe server memory forthe certainty $_session [username]: you're welcome) Echo. 


that the user could sign in or not. 
The condition that ‘s concerned with IF statement 
itis tested if the user name equal null which means it’s empty it 


has no data, there are two cases if it will be done or not. 


olf the condition is true (yes) 


Signin becomes a hyperlink whichis to sign in page that ‘s called 
signin.php and leaves many spaces and print onthe browser 
page the user isn'tregistered ‚then variable session its value in 
the code is null: 

.$_SESSION['username ]==""; 


If the if conditionisn’ttrue. 
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